|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Proxy 2.0 secure?
John McDermott (jjm
jkintl.com)
Mon, 29 Jun 98 10:19:34
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: arkeltex.ru: "Re: Proxy 2.0 secure?"
- Previous message: Brian Steele: "Re: Proxy 2.0 secure?"
Brain,
--- On Mon, 29 Jun 1998 11:54:08 -0400 Brian Steele
<steele_bspiceisle.com> wrote:
<snip>
>Interesting idea. My lease time is short. VERY short. But I haven't
come
>across a problem yet mapping between IP and MAC addresses. See below...
<snip>
>We've got an asset database here that contains information about each PC,
>including the MAC address for the NIC employed therein. To determine
which
>MAC address belongs to which IP address, I could do a reverse-lookup on
the
>IP address to get the name assigned to that PC, then look up the
information
>in the database.
>
Here's the rub. Let's say we discover a problem with 10.1.1.1 an hour ago
(two assumptions 1) you do logging, 2) your leases are less than 1 hour
long), we go to the asset database, but it was generated for the current
lessor of the address, not the one an hour ago. The consequence is that we
look in the wrong place for the trouble.
By the way, if the lease time is short, and the database gets the
information, just out of curiosity, what tool are you using to extract that
information? Do you pull it directly from your DHCP server (I gather it's
MS), or do you snapshot the net at regular intervals?
>
>>How about placing a proxying
>>firewall or NAT device between you and the other business unit when you
do
>>that. That will allow you to use private addresses internally which you
>>can go to now. A class A (network 10.0.0.0) is really nice to use...
>
>
>We are presently using private addresses internally. So are some of the
>other business units. Problem is that there's a few places where the
>address allocation overlaps. We could perhaps use NAT between the
business
>units, but there's a performance hit using NAT, as well as configuration
>issues (for example Netmeeting support). I'd probably go for the
>re-addressing route, and dynamic DHCP allows me to change all the PCs over
>quite quickly, if ever it becomes necessary, with little cost to us.
I don't know about your level of trust with the other business units, but
I'd sure like to have an internal firewall between me and any other
business unit, personally. Such a firewall need not be slow, and that
performance hit need not be much of a hit unless we're talking many tens of
megabits of transfer between the units.
This is why IPv6 is so nice...
I thought the result of the discussion on this list was that there was a
way to get Netmeeting through a firewall, albeit with less security than
other protocols. Some security is better than none, IMHO.
>
>
>Brian Steele
>
>
--john
-----------------End of Original Message-----------------
-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjmjkintl.com>
Writer and Computer Consultant
-------------------------------------
- Next message: arkeltex.ru: "Re: Proxy 2.0 secure?"
- Previous message: Brian Steele: "Re: Proxy 2.0 secure?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:23 CDT